A prior work on this was Spafford’s “Proprietary vs Open Source” in 2006. The SCOMP and GEMSOS systems he references are described here. SCOMP was first system certified under TCSEC A1 class in 1985 after five years of analysis and pentesting by NSA evaluators. I think they spent two years on GEMSOS at cost of $50 million they said. Obviously, most security-focused FOSS has had nowhere near that amount of review. There’s also never been a high-assurance, secure system done under FOSS development model: FOSS examples were cathedral-style developments by experts FOSS’d either as they went or after the fact.

This difference between the high potential of FOSS for security vs fact that all strongest systems came from private sector led me to investigate whether the models could be combined. Also, what impact if any did sharing source with everyone have on security? Almost none I found given a strong development and review process will leave almost no defects in system to begin with. The people building or reviewing, esp their skill or time allotted, were the crucial aspect in determining system security. This is also why some of us almost reflexively trust security of code produced by certain people or teams: their mindset, skill, and efforts regularly result in systems or code that does what they claim. Next one probably will, too. Probably. ;)